Should credential ID length be validated?

[ScottHelme]

The W3C WebAuthn Level 3 spec (§5.8.3) defines credential ID length constraints:

• Minimum 16 bytes (a SHOULD in Level 2, becoming a MUST in Level 3)
• Maximum 1023 bytes (new in Level 3)

Currently the library parses the credential ID from the attestation object in AuthenticatorData but does not validate its length. This means oversized or undersized credential IDs from a non-conforming or malicious authenticator are accepted without error.

Would you be interested in a PR to add length validation during processCreate()? Something like:

$length = \unpack('nlength', \substr($binary, 53, 2))['length'];
if ($length < 16 || $length > 1023) {
    throw new WebAuthnException('invalid credential ID length', WebAuthnException::INVALID_DATA);
}

Worth noting that Level 3 is still a working draft, so this could also be deferred until it's finalised — or made configurable. Happy to put together a PR if you think it's worth adding.